Bug 274927

Summary: [GTK] UI process crash in gtk_accessible_update_children
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Michael Catanzaro <mcatanzaro>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, mcatanzaro
Priority: P2    
Version: Other   
Hardware: PC   
OS: Linux   
See Also: https://bugs.webkit.org/show_bug.cgi?id=272248

Michael Catanzaro
Reported 2024-05-30 14:14:07 PDT
Visit https://pwg.org/printers/ in Epiphany Tech Preview using WebKitGTK 2.45.3. Click on the "Make, model, etc." search entry, press Ctrl+W to close the page. The UI process will crash. This is obscuring bug #272248, a web process crash that occurs when following the same steps. (gdb) bt #0 0x00007f0468aeb2bd in gtk_accessible_update_children (self=0x55857cade850, child=child@entry=0x55857d3cdad0, state=state@entry=GTK_ACCESSIBLE_CHILD_STATE_REMOVED) at ../gtk/gtkaccessible.c:1334 #1 0x00007f0468cc8176 in gtk_widget_unparent (widget=0x55857d3cdad0 [GtkPopover]) at ../gtk/gtkwidget.c:2560 #2 0x00007f046448c533 in WebKit::WebDataListSuggestionsDropdownGtk::~WebDataListSuggestionsDropdownGtk (this=0x7f04595480c0) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/gtk/WebDataListSuggestionsDropdownGtk.cpp:113 #3 WebKit::WebDataListSuggestionsDropdownGtk::~WebDataListSuggestionsDropdownGtk (this=0x7f04595480c0) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/gtk/WebDataListSuggestionsDropdownGtk.cpp:102 #4 0x00007f04643389fc in WTF::RefCounted<WebKit::WebDataListSuggestionsDropdown>::deref (this=0x55857cade858) at WTF/Headers/wtf/RefCounted.h:220 #5 WTF::DefaultRefDerefTraits<WebKit::WebDataListSuggestionsDropdown>::derefIfNotNull (ptr=0x55857cade850, ptr@entry=0x7f03ed1c4800) at WTF/Headers/wtf/Ref.h:62 #6 WTF::RefPtr<WebKit::WebDataListSuggestionsDropdown, WTF::RawPtrTraits<WebKit::WebDataListSuggestionsDropdown>, WTF::DefaultRefDerefTraits<WebKit::WebDataListSuggestionsDropdown> >::~RefPtr (this=0x7f03ed1c5180) at WTF/Headers/wtf/RefPtr.h:60 #7 WebKit::WebPageProxy::Internals::~Internals (this=0x7f03ed1c4800) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxyInternals.h:153 #8 0x00007f04642eed9e in std::default_delete<WebKit::WebPageProxy::Internals>::operator() (this=<optimized out>, __ptr=0x7f03ed1c4800) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/13.2.0/../../../../include/c++/13.2.0/bits/unique_ptr.h:99 #9 std::unique_ptr<WebKit::WebPageProxy::Internals, std::default_delete<WebKit::WebPageProxy::Internals> >::~unique_ptr (this=0x7f04594eb4a8) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/13.2.0/../../../../include/c++/13.2.0/bits/unique_ptr.h:404 #10 WTF::UniqueRef<WebKit::WebPageProxy::Internals>::~UniqueRef (this=0x7f04594eb4a8) at WTF/Headers/wtf/UniqueRef.h:57 #11 WebKit::WebPageProxy::~WebPageProxy (this=0x7f04594eb480) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:831 #12 0x00007f04642efb92 in WebKit::WebPageProxy::~WebPageProxy (this=0x55857cade850) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:790 #13 0x00007f04643408be in WTF::ThreadSafeRefCounted<API::Object, (WTF::DestructionThread)0>::deref() const::{lambda()#1}::operator()() const (this=<optimized out>) at WTF/Headers/wtf/ThreadSafeRefCounted.h:144 #14 WTF::ThreadSafeRefCounted<API::Object, (WTF::DestructionThread)0>::deref (this=0x55857cade858) at WTF/Headers/wtf/ThreadSafeRefCounted.h:156 #15 WTF::DefaultRefDerefTraits<WebKit::WebPageProxy>::derefIfNotNull (ptr=0x55857cade850) at WTF/Headers/wtf/Ref.h:62 #16 WTF::Ref<WebKit::WebPageProxy, WTF::RawPtrTraits<WebKit::WebPageProxy>, WTF::DefaultRefDerefTraits<WebKit::WebPageProxy> >::~Ref (this=0x7f0459572648) at WTF/Headers/wtf/Ref.h:82 #17 WebKit::WebPageProxy::sendMouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits> > const&, WebKit::NativeWebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)::$_0::~$_0() (this=0x7f0459572648) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:3484 #18 IPC::Connection::makeAsyncReplyCompletionHandler<Messages::WebPage::MouseEvent, WebKit::WebPageProxy::sendMouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits> > const&, WebKit::NativeWebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)::$_0>(WebKit::WebPageProxy::sendMouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits> > const&, WebKit::NativeWebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)::$_0&&, WTF::ThreadLikeAssertion)::{lambda(IPC::Decoder*)#1}::~ThreadLikeAssertion() (this=0x7f0459572648) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.h:794 #19 WTF::Detail::CallableWrapper<IPC::Connection::makeAsyncReplyCompletionHandler<Messages::WebPage::MouseEvent, WebKit::WebPageProxy::sendMouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits> > const&, WebKit::NativeWebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)::$_0>(WebKit::WebPageProxy::sendMouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits> > const&, WebKit::NativeWebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)::$_0&&, WTF::ThreadLikeAssertion)::{lambda(IPC::Decoder*)#1}, void, IPC::Decoder*>::~CallableWrapper() (this=0x7f0459572640) at WTF/Headers/wtf/Function.h:47 #20 WTF::Detail::CallableWrapper<IPC::Connection::makeAsyncReplyCompletionHandler<Messages::WebPage::MouseEvent, WebKit::WebPageProxy::sendMouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits> > const&, WebKit::NativeWebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)::$_0>(WebKit::WebPageProxy::sendMouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits> > const&, WebKit::NativeWebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)::$_0&&, WTF::ThreadLikeAssertion)::{lambda(IPC::Decoder*)#1}, void, IPC::Decoder*>::~CallableWrapper() (this=0x7f0459572640) at WTF/Headers/wtf/Function.h:47 #21 0x00007f046426bff1 in WTF::Function<void (IPC::Decoder*)>::operator()(IPC::Decoder*) const (in=0x7f0459019400, this=<optimized out>) at WTF/Headers/wtf/Function.h:82 #22 WTF::CompletionHandler<void (IPC::Decoder*)>::operator()(IPC::Decoder*) (this=0x7ffde25347a0, in=0x7f0459019400) at WTF/Headers/wtf/CompletionHandler.h:78 #23 IPC::Connection::dispatchMessage (this=0x7f0459049860, decoder=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1312 #24 0x00007f046426c175 in IPC::Connection::dispatchMessage (this=0x7f0459049860, message=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1378 #25 0x00007f046426c6b1 in IPC::Connection::dispatchIncomingMessages (this=0x7f0459049860) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1488 #26 0x00007f04631a615b in WTF::Function<void ()>::operator()() const (this=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:82 #27 WTF::RunLoop::performWork (this=0x7f04590140e0) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/RunLoop.cpp:147 #28 0x00007f046320be0d in WTF::RunLoop::RunLoop()::$_0::operator()(void*) const (userData=0x55857cade850, userData@entry=0x7f04590140e0, this=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:80 #29 WTF::RunLoop::RunLoop()::$_0::__invoke(void*) (userData=0x55857cade850) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:79 #30 0x00007f046320af71 in WTF::RunLoop::$_0::operator() (source=0x55857b4ebfb0, callback=0x7f046320be00 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)>, userData=0x7f04590140e0, this=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53 #31 WTF::RunLoop::$_0::__invoke (source=0x55857b4ebfb0, callback=0x7f046320be00 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)>, userData=0x7f04590140e0) --Type <RET> for more, q to quit, c to continue without paging--c at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:45 #32 0x00007f046983d787 in g_main_dispatch (context=context@entry=0x55857b4a9950) at ../glib/gmain.c:3348 #33 0x00007f046983f927 in g_main_context_dispatch_unlocked (context=0x55857b4a9950) at ../glib/gmain.c:4197 #34 g_main_context_iterate_unlocked (context=context@entry=0x55857b4a9950, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4262 #35 0x00007f04698400d3 in g_main_context_iteration (context=context@entry=0x55857b4a9950, may_block=may_block@entry=1) at ../glib/gmain.c:4327 #36 0x00007f04696de40d in g_application_run (application=0x55857b4e57c0 [EphyShell], argc=<optimized out>, argv=<optimized out>) at ../gio/gapplication.c:2712 #37 0x0000558579a0713e in main (argc=<optimized out>, argv=<optimized out>) at ../src/ephy-main.c:461 More detail on the first few frames: (gdb) bt full #0 0x00007f0468aeb2bd in gtk_accessible_update_children (self=0x55857cade850, child=child@entry=0x55857d3cdad0, state=state@entry=GTK_ACCESSIBLE_CHILD_STATE_REMOVED) at ../gtk/gtkaccessible.c:1334 __inst = 0x55857cade850 __t = 0x55857b4e4a20 [GtkWidget/GInitiallyUnowned] __r = <optimized out> context = <optimized out> #1 0x00007f0468cc8176 in gtk_widget_unparent (widget=0x55857d3cdad0 [GtkPopover]) at ../gtk/gtkwidget.c:2560 priv = <optimized out> old_parent = <optimized out> old_prev_sibling = <optimized out> root = <optimized out> __func__ = "gtk_widget_unparent" #2 0x00007f046448c533 in WebKit::WebDataListSuggestionsDropdownGtk::~WebDataListSuggestionsDropdownGtk (this=0x7f04595480c0) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/gtk/WebDataListSuggestionsDropdownGtk.cpp:113 _pp = {in = 0x7f04595480e8 "", out = 0x7f04595480e8} _p = 0x55857cade850 _pp = {in = <optimized out>, out = <optimized out>} _p = <optimized out> _destroy = <optimized out> #3 WebKit::WebDataListSuggestionsDropdownGtk::~WebDataListSuggestionsDropdownGtk (this=0x7f04595480c0) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/gtk/WebDataListSuggestionsDropdownGtk.cpp:102 #4 0x00007f04643389fc in WTF::RefCounted<WebKit::WebDataListSuggestionsDropdown>::deref (this=0x55857cade858) at WTF/Headers/wtf/RefCounted.h:220 #5 WTF::DefaultRefDerefTraits<WebKit::WebDataListSuggestionsDropdown>::derefIfNotNull (ptr=0x55857cade850, ptr@entry=0x7f03ed1c4800) at WTF/Headers/wtf/Ref.h:62 #6 WTF::RefPtr<WebKit::WebDataListSuggestionsDropdown, WTF::RawPtrTraits<WebKit::WebDataListSuggestionsDropdown>, WTF::DefaultRefDerefTraits<WebKit::WebDataListSuggestionsDropdown> >::~RefPtr (this=0x7f03ed1c5180) at WTF/Headers/wtf/RefPtr.h:60 #7 WebKit::WebPageProxy::Internals::~Internals (this=0x7f03ed1c4800) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxyInternals.h:153 #8 0x00007f04642eed9e in std::default_delete<WebKit::WebPageProxy::Internals>::operator() (this=<optimized out>, __ptr=0x7f03ed1c4800) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/13.2.0/../../../../include/c++/13.2.0/bits/unique_ptr.h:99 #9 std::unique_ptr<WebKit::WebPageProxy::Internals, std::default_delete<WebKit::WebPageProxy::Internals> >::~unique_ptr (this=0x7f04594eb4a8) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/13.2.0/../../../../include/c++/13.2.0/bits/unique_ptr.h:404 __ptr = @0x7f04594eb4a8: 0x7f03ed1c4800 #10 WTF::UniqueRef<WebKit::WebPageProxy::Internals>::~UniqueRef (this=0x7f04594eb4a8) at WTF/Headers/wtf/UniqueRef.h:57 #11 WebKit::WebPageProxy::~WebPageProxy (this=0x7f04594eb480) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:831 preferences = {static isRef = <optimized out>, m_ptr = <optimized out>} #12 0x00007f04642efb92 in WebKit::WebPageProxy::~WebPageProxy (this=0x55857cade850) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:790
Attachments
Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2024-05-30 14:16:47 PDT
There's a helpful warning before the crash: (epiphany:2): Gtk-WARNING **: 16:16:17.698: Finalizing EphyWebView 0x55d4f7569670, but it still has children left: - GtkPopover 0x55d4f7615fd0 This should probably be a critical rather than a warning.
Michael Catanzaro
Comment 2 2024-05-30 16:30:47 PDT
Pull request: https://github.com/WebKit/WebKit/pull/29341
EWS
Comment 3 2024-05-31 05:20:03 PDT
Committed 279571@main (34f75014ef73): <https://commits.webkit.org/279571@main> Reviewed commits have been landed. Closing PR #29341 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.